Security

Reply
Contributor II
Posts: 47
Registered: ‎01-07-2013

Limit number of unique devices for an user

Hi

 

In our environment there have been requests to limit the number of devices a user can utilize on the WIFI network and also register the username of each device.

Users authenticate with AD username and password.

I have created an Enforcement profile that update the endpoint with the username. 

Endpoint Username =  %{Authentication:Username} 

This part is successful.

 

In the authentication service I specify a condition for the Enforcement policy 

 (Authorization:[Endpoints Repository]:Unique-Device-Count GREATER_THAN 1)  [Deny Access Profile] 

This doesn't seem to work, I can access the network with multiple devices as a specific user.

 

Just for the test I have tried to register as a guest and the rules above works perfect if a guest user tries to authenticate twice, but not if an AD user authenticates twice.

 

Have I missed anything in the configuration or isn’t this possible to implement in the way we planned?

 

 

Regards

Jonas

Guru Elite
Posts: 19,982
Registered: ‎03-29-2007

Re: Limit number of unique devices for an user

For 802.1x, you need to use a post authentication enforcement profile that will either enforce bandwidth or simultaneous sessions.

 

For that you will need:

 

- Interim accounting enabled on your Wireless Lan Controller

- COA or change of authorization (RFC 3566) configured on your Wireless Controller and in your definition for that WLC in ClearPass

- Insight Enabled on your ClearPass Policy Manager.

 

The config is different than how looking for how many users have logged in for guests because it relies on current vs. historical data.

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Contributor II
Posts: 47
Registered: ‎01-07-2013

Re: Limit number of unique devices for an user

Do I understand this correct?

 

With 802.1x I can only limit the number of simultaneuos devices a user can connect to the network.

Not limit the user to only utilize one specific device, ie. an iPad, and block any other device the same user tries to connect anytime in the future?

 

One example:

The user Bob connects his iPad to the network.

Later he try to connect his iPhone, but this should not be granted access as long as the iPad is bound to his username.

 

Would it be possible to implement this type of solution without Onboard?

Guru Elite
Posts: 19,982
Registered: ‎03-29-2007

Re: Limit number of unique devices for an user


jonas.hammarback wrote:

Do I understand this correct?

 

With 802.1x I can only limit the number of simultaneuos devices a user can connect to the network.

Not limit the user to only utilize one specific device, ie. an iPad, and block any other device the same user tries to connect anytime in the future?

 

One example:

The user Bob connects his iPad to the network.

Later he try to connect his iPhone, but this should not be granted access as long as the iPad is bound to his username.

 

Would it be possible to implement this type of solution without Onboard?


I must be having a problem understanding English.  I apologize.  I just re-read your first post.

 

You should be able to accomplish what you want, just like you said.  

 

You will want to put the endpoints repository into the Authorization Tab.  In the access tracker, under Input and Authorization attributes, it should say what the Authorization Endpoints Repository Unique device count number should be.

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Contributor II
Posts: 47
Registered: ‎01-07-2013

Re: Limit number of unique devices for an user

Ok, I see...

 

In the service I have checked the Auhtorization check box on the Service tab and in the new Authorization tab added the Endpoints Repository as an additional auhtorization source.

 

But when I authenticate I don't get the Unique device count under Authentication Attributes in the Input tab. I can only see authorization attributes from the AD.

But on the summary tab I can see that Endpoint Repository is listed as Authorization source.

Contributor II
Posts: 47
Registered: ‎01-07-2013

Re: Limit number of unique devices for an user

After additional testing and also delete the test device from the controller session table I finally got the behavior I expected from the beginning.

 

The thing I actually missed in my initial configuration was to enable Authorization in the Service tab and to add the Endpoint Repository as an additional authorization source in the Authorization tab.

 

Thanks for your assistance

 

Regards Jonas

MVP
Posts: 4,012
Registered: ‎07-20-2011

Re: Limit number of unique devices for an user

 

What attributes you used under the Enforcement Profiles to achieve this ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II
Posts: 47
Registered: ‎01-07-2013

Re: Limit number of unique devices for an user

I created an Enforcement Policy as a copy of the default policy "Guest - MAC Caching - Limit 1 Device"

 

Conditions  Actions
1. (Authorization:[Endpoints Repository]:Unique-Device-Count GREATER_THAN 1)  [Deny Access Profile]
2. (Date:Day-of-Week BELONGS_TO Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Sunday) Guest Session Timeout, Guest Bandwidth Limit, Guest Session Limit, Guest MAC Caching, [Update Endpoint Known]

 

Next step will be to implement different roles based on AD group membership, and allow some users to have more than one device.

 

Regards

Jonas

Search Airheads
Showing results for 
Search instead for 
Did you mean: